Feeds

NYT scareware scam linked to click fraud botnet

Ukrainian fan club cheer on all sorts of mischief

Next gen security for virtualised datacentres

A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.

Researchers from security firm Click Forensics have tied the Bahama botnet to a recent attack that resulted in pop-up ads punting rogue anti-virus software appearing via the New York Times website. The scam attempted to trick surfers into purchasing software called Personal Antivirus by falsely warning that their systems were infected with non-existent threats.

Personal Antivirus, far from offering a clean-up utility as advertised, infected compromised systems with a Trojan. Click Forensics said this Trojan is distributed by a gang of cybercrooks in the Ukraine called the Ukrainian fan club, who are also heavily involved in click fraud.

"We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street," Click Forensics reports. "We’re pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."

Compromised hosts in the Bahama botnet generate auto-generated clicks as part of a click fraud scam that offers an additional income for crooks. This click fraud traffic is carefully designed to elude detection by search engines and ad networks by mimicking genuine searches. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines," Paul Pellman, chief exec of Click Forensic, explained.

Click Forensics first detected the Bahama botnet when they discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. Since then the zombie network has been reprogrammed to redirect traffic through other intermediate sites hosted in the Netherlands, US and the UK. The click fraud carried out by the botnet is explained in more detail in the video (below).

More on the Ukrainian "fan club" and its involvement in the NYT malvertisement campaign can be found in a blog post by independent security researcher Dancho Danchev here. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.